Restrict authentication types per user